US representatives have called on the Biden administration to launch an urgent probe into NSO Group, the Israeli spyware manufacturer that has found itself at the centre of a surveillance scandal after investigations linked its Pegasus software to illicit spying on politicians, activists and journalists.
In a statement, lawmakers Tom Malinowski of New Jersey, Katie Porter of California, Joaquin Castro of Texas and Anna Eshoo of California, said the revelations about alleged misuse of the Pegasus spyware by authoritarian regimes demonstrated that the “hacking for hire” industry needed to be bought under control.
“Private companies should not be selling sophisticated cyber-intrusion tools on the open market, and the United States should work with its allies to regulate this trade,” they said. “Companies that sell such incredibly sensitive tools to dictatorships are the A.Q. Khans of the cyber world. They should be sanctioned and, if necessary, shut down.”
The representatives said NSO’s persistent denials that it had sold its product to authoritarian governments, that a list of 50,000 alleged targets of Pegasus users had nothing to do with it, and that it had been the victim of a coordinated media campaign against it, were not credible.
They accused the company of showing an “arrogant disregard” for the concerns of elected officials, human rights activists, journalists and cyber security experts.
“The authoritarian governments purchasing spyware from private companies make no distinction between terrorism and peaceful dissent,” the representatives said. “If they say they are using these tools only against terrorists, any rational person should assume they are also using them against journalists and activists, including inside the United States.
“Selling cyber-intrusion technology to governments like Saudi Arabia, Kazakhstan and Rwanda based on assurances of responsible use is like selling guns to the mafia and believing they will only be used for target practice.”
The group is calling on the US government to: call out private companies that sell cyber-intrusion tools to governments with a history of misusing them; enact legislation or executive orders to hold those that sell such tools to authoritarian states accountable; speed up US accession to the Wassenaar Arrangement’s controls on cyber-intrusion tools; consider adding NSO to the US Commerce Department’s Entity List (the same list that Huawei is on) and consider sanctioning its clients under the Global Magnitsky Act; ensure NSO cannot access US investor funding; and investigate the possible targeting of US citizens, including journalists, aid workers and diplomats, with Pegasus software.
NSO Group has been approached for comment, but at the time of writing had not responded. In an interview with the BBC, published late last week, it continued its denials. A spokesperson told the BBC that if a drunk driver kills someone, they are held responsible, not the manufacturer of the car they were driving, and that attention should instead be paid to its customers, who would not remain customers if they were found to be abusing the Pegasus spyware product.
In its most recent statement on 21 July, NSO said: “In light of the recent planned and well-orchestrated media campaign lead by Forbidden Stories and pushed by special interest groups, and due to the complete disregard of the facts, NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.”